On Sun, 31 May 2026 at 10:38, Marko, Peter <[email protected]> wrote:
> I do agree that 4 years is too long for patch backports in age of AI > vulnerability search and CRA. > However, since the Yocto project does have a 4-year LTS policy, we need to > deal with that timespan right now. > Or is there a plan to decrease the LTS maintenance window or to allow more > version upgrades? Yocto LTS carries no promises of security, regardless of how long is its lifecycle. The only promises are: - there's a branch - there's a maintainer who looks at incoming patches and backport candidates in master - there's CI which is used to test those patches for lack of regressions - there's a policy for what those patches can and cannot be I'm not sure why you see it any other way; the stream of CVE backports is entirely ad hoc volunteer work, and doesn't imply any security guarantees or goals to be met. There are significant limitations to feasibility of those backports: the gradually increasing delta to upstream, the need to keep the stability promise that doesn't allow version updates, and simply lack of people who would do the work. The only way to deal with these natural limits is to indeed migrate the products off older LTS onto newer yocto versions in a timely manner, a subject you keep evading. Personally, I do not like how long LTS maintenance windows are, regardless of how successful and liked that approach is by Yocto users. For two reasons: - it's hard to contribute to Yocto core when what you're working with is far removed from master. It's a kind of gravity pull in the wrong direction. - it's harder still to transition to a workflow that regularly updates the product stack. It's just so much easier to stay on LTS until it's no longer possible, instead of pro-actively moving forward. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2382): https://lists.openembedded.org/g/openembedded-architecture/message/2382 Mute This Topic: https://lists.openembedded.org/mt/119437109/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
